SiYuan SanitizeSVG Bypass Vulnerability Leading to Unauthenticated Reflected Cross-Site Scripting

A reflected cross-site scripting vulnerability has been identified in SiYuan, a personal knowledge management system, specifically in versions through 3.6.0. The issue arises from the SanitizeSVG function, which fails to adequately block certain data types that can execute JavaScript when rendered as SVG. The vulnerability is present in the unauthenticated API endpoint /api/icon/getDynamicIcon, which serves user-controlled content as image/svg+xml without proper escaping. This flaw allows the injection of executable SVG elements, such as links with JavaScript event handlers, creating a click-through XSS scenario. Exploitation requires direct navigation to the crafted URL or embedding the SVG in an object or embed tag, as image tags do not support interactive links.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the context of the SiYuan web application, with the potential to abuse authenticated actions and access sensitive data such as notes, configuration details, and API responses.

Reproduction

To reproduce this vulnerability, send a GET request to the /api/icon/getDynamicIcon endpoint with the type parameter set to 8. Include the content parameter with a crafted SVG payload that exploits the SanitizeSVG bypass. The payload can be injected via a data:text/xml or data:application/xml URI, which is not properly sanitized and can execute JavaScript when the SVG is rendered.

Remediation

Users can upgrade to SiYuan version 3.6.1, which addresses this vulnerability by improving the SanitizeSVG function to block data:text/xml and data:application/xml URIs.